您的位置: 首页  >  技术问答  >  使用PHP表单进行数据库输入清理

使用PHP表单进行数据库输入清理

分类: 技术问答 2022-03-13 16:21:16

使用PHP表单进行数据库输入清理

问题描述:

I sanitise the data I receive from the form in the following way:

$gender = filter_var($_POST['gender'], FILTER_SANITIZE_STRING);
$firstName = filter_var($_POST['firstName'], FILTER_SANITIZE_STRING);
$lastName = filter_var($_POST['lastName'], FILTER_SANITIZE_STRING);
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$message = filter_var($_POST['comment'], FILTER_SANITIZE_STRING);
$address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);
$numBrochures = (int) filter_var($_POST['quantity'], FILTER_SANITIZE_NUMBER_INT);

The relevant SQL queries that insert the data are as follows:

if (mysqli_query($conn, "INSERT INTO users(firstName, lastName, email, gender) VALUES('$firstName', '$lastName', '$email', '$gender')") == TRUE) {
  logSuccess($file, "Adding user");
}
else {
  logError($file, "Adding user", mysqli_error($conn));
}

$userId = $conn->query("SELECT `userId` FROM users WHERE `firstName` = '$firstName' AND `lastName` = '$lastName' AND `email` = '$email'")->fetch_object()->userId;
if ($userId == false) {
  logError($file, "Fetching user id", mysqli_error($conn));

}

if (mysqli_query($conn, "INSERT INTO brochureOrders(userId, address, numBrochures, message) VALUES('$userId', '$address', '$numBrochures', '$message')") == TRUE) {
  logSuccess($file, "Brochure Order");
  $sendConfirmationEmail = true;
}
else {
  logError($file, "Brochure Order", mysqli_error($conn));
}

However, in my database, I see entries like the following:

address = "vz8y8E  gghwptvvzuak, [url=http://ytvsmximkjnp.com/]ytvsmximkjnp[/url], [link=http://hiabgyvsjifp.com/]hiabgyvsjifp[/link], http://tyvylndqitoy.com/"

Shouldn't the following have taken care of this?

$address = filter_var($_POST['address'], FILTER_SANITIZE_STRING);

Could someone tell me what I am doing incorrectly here?

我通过以下方式清理从表单收到的数据: p> 

  $ gender = filter_var($ _ POST ['gender'],FILTER_SANITIZE_STRING); 
 $ firstName = filter_var($ _ POST ['firstName'],FILTER_SANITIZE_STRING); 
 $ lastName = filter_var($ _ POST ['lastName  '],FILTER_SANITIZE_STRING); 
 $ email = filter_var($ _ POST ['email'],FILTER_SANITIZE_EMAIL); 
 $ message = filter_var($ _ POST ['comment'],FILTER_SANITIZE_STRING); 
 $ address = filter_var($  _POST ['address'],FILTER_SANITIZE_STRING); 
 $ numBrochures =(int)filter_var($ _ POST ['quantity'],FILTER_SANITIZE_NUMBER_INT); 
  code>  pre> 
 
 
相关 插入数据的SQL查询如下: p> 
 
 


  if(mysqli_query($ conn,“INSERT INTO users(firstName,lastName,email,gender)VALUES('$ firstName')  ,'$ lastName','$ email','$ gender')“)== TRUE){
 logSuccess($ file,”添加用户“); 
} 
else {
 logError($ file,” 添加用户“,mysqli_error($ conn)); 
} 
 
 $ userId = $ conn->查询 (“SELECT`userId` FROM users WHERE`irstName` ='$ firstName'AND`lastName` ='$ lastName'AND`mail` ='$ email'”) - > fetch_object() - > userId; 
if  ($ userId == false){
 logError($ file,“获取用户ID”,mysqli_error($ conn)); 
 
} 
 
if(mysqli_query($ conn,“INSERT INTO brochureOrders(userId, 地址,numBrochures,消息)VALUES('$ userId','$ address','$ numBrochures','$ message')“)== TRUE){
 logSuccess($ file,”Brochure Order“); 
  $ sendConfirmationEmail = true; 
} 
else {
 logError($ file,“Brochure Order”,mysqli_error($ conn)); 
} 
  code>  pre> 
 
 
 但是,在我的数据库中,我看到如下条目: p> 
 
 


  address =“vz8y8E gghwptvvzuak,[url = http://ytvsmximkjnp.com/] ytvsmximkjnp [/ url]  ,[link = http://hiabgyvsjifp.com/] hiabgyvsjifp [/ link],http://tyvylndqitoy.com/"


nn
不应该如下 已经处理好了吗? p> 
 
 


  $ address = filter_var($ _ POST ['address'],FILTER_SANITIZE_STRING); 
  code>  pre> 
 
  
有人可以 告诉我我在这里做错了什么?   p> 
  div>

Because the OP stated in the comments he wants to switch to prepared statement, I thought I'd show him an example.

Instead of something like this:

if (mysqli_query($conn, "INSERT INTO users(firstName, lastName, email, gender) VALUES('$firstName', '$lastName', '$email', '$gender')") == TRUE) {
  logSuccess($file, "Adding user");
}
else {
  logError($file, "Adding user", mysqli_error($conn));
}

Do something like this:

$query = "INSERT INTO users (firstName, lastName, email, gender) VALUES(?, ?, ?, ?)";

if($stmt = $mysqli->prepare($query)){
    $stmt->bind_param('ssss', $firstName, $lastName, $email, $gender);
    $stmt->exeucte();
    $stmt->close();
}else die("Failed to prepare!");

and this

$query = "SELECT `userId` FROM users WHERE `firstName` = ? AND `lastName` = ? AND `email` = ?";

if($stmt = $mysqli->prepare($query)){
    $stmt->bind_param('sss', $firstName, $lastName, $email);
    $stmt->execute();
    $stmt->bind_result($userId);
    $stmt->fetch();
    $stmt->close()
}else die("Failed to prepare!");

相关推荐